As a continuation of the first article in which we saw both the regulation of homeworking and the security and privacy measures in this modality, in this second issue we are going to deepen in what is really interesting about the regulation: the legal and technical balance between the parties, in this case, employer and employee.
Balance Between the Employer’s Power of Control and The Worker’s Right to Privacy
The line drawn by the Courts for the lawful access of the employer to the corporate information of devices begins with the duty of the employer to have policies on the use of its devices, a matter which is regulated in the current Data Protection Act.
And the million-dollar question: can the employer access information from corporate devices and emails? “It depends. It depends on the point of view of either the employer or the employee, as the answer can be as varied as the case studies in the business world. The first thing that should be checked is the existence of prior regulation of the use of devices. If the answer is affirmative, the document in question should be analysed and the control measures regulated and the existence or lack of express prohibitions on personal use should be verified. This prohibition may be motivated by reasons of information security. On the other hand, in the absence of such regulation and in the case of access to the employee’s corporate information, he or she may claim that his or her right to privacy has been infringed, since the courts understand that, in the lack of regulation, there is a certain tolerance in the workplace of the personal use of company equipment.
In both cases, and in order to avoid problems of arbitrariness on the part of the employer, he is required to prove the existence of a prior suspicion of his employee’s employment infringement and, on the basis of this evidence, the initiation of the investigation and the gathering of evidence could be justified, in accordance with the principles of necessity, appropriateness and proportionality, so as to enable the employer to prove the infringement while ensuring the utmost diligence of the employee’s right to privacy.
In order to solve the problem of minimising access to information, technicians often use software that allows heuristic searches based on keyword criteria, date range selection and files based on their hash signature code, so they can separate the wheat from the chaff in a tangle of information and emails.
It is a common question among lawyers and computer experts who wonder who is responsible for the legality of the evidence obtained. And the answer from both professionals is that employers usually delegate the responsibility for obtaining digital evidence to computer experts, even, on many occasions, when company lawyers are present, since they are often unaware of the specific regulations on the subject.
In this sense, and in order to limit responsibilities regarding the validity of the evidence, it is a recommendation for these professionals, computer experts, that they reflect this circumstance regarding the validity of the evidence and limitation of responsibility in a specific way in the object of the contract for the provision of services. It would be more convenient to incorporate a third party, such as a lawyer specialised in evidence and technological research, to enable the employer to establish a correct digital evidence strategy to prove the fact of the previous suspicion and, consequently, the legitimacy for its subsequent investigation. This professional assists the employer throughout the process that could result, for example, in a disciplinary dismissal, from obtaining the digital evidence to the defence in court.
Technical Tools for The Control and Access to Information Of Business Devices
Since we have an IT support and cyber security team in our company, we know very well what this sudden change in the way of working without being prepared and without having taken the necessary measures to guarantee the security of information and the continuity of their business has meant for our clients. We have had to configure their infrastructure to adapt it to the massive use of remote working, as well as the personal equipment of users who, in general, did not meet the minimum-security requirements.
This is a complex scenario and requires the use of tools that allow control and secure access to the company’s information. Before drawing up an information security policy related to asset management and homeworking, we must ask ourselves these questions:
About the assets
- Is there a policy on the acceptable use of company assets such as the computer or laptop, mobile phone, email, instant messaging, internet, social networks, etc.?
- Is the use of company assets allowed on a personal basis?
- If so, has the misuse been properly documented and explained?
- Has it been accepted and signed by the employee?
- How is this controlled and managed?
- Is there any monitoring or traceability?
- Once the employee/company relationship has ended, how are these assets returned?
- Is there a procedure and document for this purpose?
- What happens if they are not returned?
- Is there a specific homeworking policy for mobile users?
- Are the controls applied the same way for all users regardless of their location?
- Is there any type of MDM (Mobile Device Management) tool for mobile devices that allows their control and encryption?
- Have specific measures been implemented to guarantee use during homeworking? For example:
- Use of VPN (Virtual Private Network) connection
- Secure password with double authentication factor (2FA)
- Backup copies
- System Updates
- Specific security solutions (not only antivirus)
- Security in the cloud (95% of attacks in the cloud will be the responsibility of users)
It is mandatory to know and apply, in any labour infringement through the new technologies in the labour order, what is known as the Barbulescu II Test, in the name of a famous sentence of the European Court of Human Rights in which criteria are given for the licit access to the information of the corporate devices/mails. The first thing that has to be done is to check the existence of policies on the use of corporate devices and whether they are in line with the reality of the organisation, the work methodology and the existence of express prohibitions on personal use, so that the employee cannot claim what is known as “expectation of privacy” in the personal use of corporate devices and, therefore, the evidence obtained could be declared null and void for violation of Fundamental Rights. And if, finally, the principles of necessity, appropriateness and proportionality were applied to the access to information on the employee’s computer equipment.
It is understood that, with compliance with the above, both from a legal and technical point of view, the taking of evidence should be considered lawful and, consequently, taken into consideration by the Court, subject to criteria of relevance and free assessment, as well as to the principles of publicity, orality, immediacy, contradiction and concentration in the act of oral proceedings.
There is no such thing as 100% cyber security, nor is there full legal certainty.
Case study: My Employee Is Fooling Me
Our company has a registration application for employees, where each day they must identify themselves at the beginning of the day, so that the time of arrival and departure is recorded. Our employee works with an application that also records the whole process/activity of the employee. This function has been developed for 10 years, although lately we have noticed some strange behaviour and some unjustified leaves. In addition, some of her colleagues complain about harassment and management has told her off on several occasions. The company and the employee keep track of absences from work, and a discrepancy is detected on a particular day when the employee claims to have been at work.
Our forensic analysis work begins by analysing the access logging application and also the one for your work. We detect that on that particular day two accesses are recorded with that user: one at 8:00, which barely lasts 2 seconds; and another at 8:05, which lasts until 14:00, the time of departure. When designing the application, not only the user’s registration was taken into account, but also the IP from which the user connects. This IP is always the same, the one of the company, since all users work from within the network and homeworking is not contemplated. It is detected that the registered IP is external and therefore that the connection has been made from outside the company. The log of the management application is also analysed, and it is verified that there was no activity during that day for that user. We then proceed with the complaint and request to the court so that the communications operator identifies and geolocates the registered IP. The operator’s report certifies that the IP corresponds to an ADSL that is in the employee’s name and geolocated in his or her usual home
Resolution of the Case
All the evidence found (IP of the external connection, activity of the management application and its geolocalisation with a technical report from the operator) pointed to the fact that it was the employee, from his/her home, who made the connection to show the company that he was working in the office that day. Finally, the resolution was favourable to the company.
First part of this article available here: